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Getting Started CSAM 


Qualys CyberSecurity Asset Management (CSAM) is asset management reimagined for 
security teams. Global AssetView (GAV) is part of CSAM and works in conjunction with 
the Qualys Cloud Platform and Qualys sensors (scanners, cloud connectors, container 
sensors, cloud agents, passive sensors and APIs) to continuously discover assets. 


Global AssetView (GAV) / CSAM provide you a single source of truth for your assets. It’s 
a central location where you can view your data collected from your different sensors 
you’ve deployed. Data collected from your sensors automatically populate into asset 
inventory. That data is then normalized, categorized, and enriched so you can better 
make sense of it and group it in many ways. 
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= Discover and Inventory @) Detect and Monitor ei Report and Respond 
Use multiple Qualys sensors, including cloud agent to Detect software and hardware end of life, monitor Define alerts, uninstall unauthorized software and 
gain comprehensive asset inventory. Enrich it with unauthorized and missing required software. produce compliance reports. 
business context from CMDB sync. 


Your Asset Inventory At-A-Glance 


Dive into asset inventory to get detailed insights 


ate’ 12K 
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Download Cloud Agent 
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Assets with Agent Software Assets missing Agent 


Total Assets 


GB view Dashboard ©> Tag Your Assets 


GAV and CSAM 


GAV (which is free) lets you: 
- Obtain asset inventory across hybrid environments 
- View normalized and categorized hardware and software inventory information 
- Add custom tagging to automatically organize your assets and rank their 
criticality 
- Create and view customizable dashboards and widgets 
- Search any asset in seconds 


On top of GAV, upgrading to CSAM will also include: 
- Enriched asset data — hardware & software lifecycles, licenses categories, and 
more 
- Bi-directional synchronization of asset data with your ServiceNow CMDB 
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- Ability to define and manage authorized and unauthorized software in your 


organization 


- Customizable reporting to meet internal and external needs (e.g. standards 


compliance reporting) 


- Alerting via email, Slack or PagerDuty to inform you about assets requiring 


attention 


The module picker in the Qualys user interface lists both CSAM (paid) and GAV (free) for 


all accounts. 
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Modules v 


Secure Enterprise Mobility 
EZE visibility, security, continuous monitoring f 


Devices and Data for enterprises 


Threat Protection 
Hal Add threat intelligence feed to your existin 
AssetView 


CloudView 
CH Monitor changes on cloud platforms 


ASSET MANAGEMENT (3) 


CyberSecurity Asset Management 


SAM Identify security gaps and manage asset health 
across your hybrid IT environment 


Global AssetView 


KAN Maintain full, instant visibility of all your global IT 
assets (Formerly Global IT Asset Inventory) 


AssetView (Legacy) 
Discover assets and use dynamic tags to keep your 
ets automatically organized 


Qualys Subscription with GAV 


Module picker lists 
both GAV (free) 
and CSAM (paid) 


scription 


setView (Legacy) 


Dver assets and use dynamic tags to keep your 
its automatically organized. 


now 


intainer Security 


Dver, track, and continuously protect containers 
Images 


Certificate View 


Analyse and manage SSL/TLS certificates and 
vulnerabilities 


Visit now 


Continuous Monitoring 
Set up monitoring and alerting of new security risks 
Visit now 


To learn more abd 
the QualysGuard 


Cloud Agent 


Stay updated with netwq 
agents on your hosts 


Visit now 


CyberSecuri 
Management 
Identify security gaps ai 


Qualys customers that were using the free version of the Global Asset Inventory (GAI) 
application are automatically migrated to GAV. For such accounts, clicking on either the 
CSAM or GAV module will always open GAV. 


CloudView 
CV Monitor changes on cloud platforms 


ASSET MANAGEMENT (3) 


DÉI Qualys Cloud 


Global AssetView HOME DASHBOARD 
— 
CyberSecurity Asset Management 


CSAM Identify security gaps and manage asset health 
across your hybrid IT environment 


Global AssetView 
Maintain full, instant visibility of all your global IT Hello Vikram 
assets (Formerly Global IT Asset Inventory) 


Mawes Gage? Welcome to Global AssetView 


AV Discover assets and use dynamic tags to keep your Global AssetView gives you complete and continuous visibility of all known and unknown assets, 
assets automatically organized including on-premises, cloud, loT/OT and mobile devices. It provides detailed, normalized and 
categorized hardware and software information. 


IT OPERATIONS (2) 


Patch Management 
Deploy patches to your systems 


Secure Access Control BETA Discover and Inventory Detect and Monitor 


Network containment for your vulnerable, affected 
and non-compliant asseta. Use multiple Qualys sensors, including cloud agent to Detect software and hardware end of life, mo! 


gain comprehensive asset inventory. Enrich it with unauthorized and missing required software. 
business context from CMDB sync. 


Please consult your Qualys TAM for more information on upgrading your Qualys 
subscription to include CSAM. 


Learn More ) 


SAC 


Qualys Subscription with CSAM 


For accounts with CSAM included in the subscription, clicking on either the CSAM or 
GAV module will always open CSAM. 


Modules 


CloudView DÉI Qualys. ciova piatrorm 
e Monitor changes on cloud platforms 
CyberSecurity Asset Management HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES 


Industrial Control System BETA 
ICS Get real time visibility of critical industrial assets and 


manage their vulnerabilities. 


ASSET MANAGEMENT (3) Hello Vikram Kamat - 


fosan] CyberSecurity Asset Management Welcome to CyberSecurity Asset Management 
CSAM 


Identify security gaps and manage asset health Identify all systems comprehensively, detect at-risk assets, and respond with appropriate actions 
across your hybrid IT environment 


to mitigate risk. 


Global AssetView 
LEZA Maintain full, instant visibility of all your global IT} 


assets (Formerly Global IT Asset Inventory) 


AssetView (Legacy) 


Discover assets and use dynamic tags to keep your 53, Discover and Inventory P) Detect and Monitor 
assets automatically organized EZ 
Use multiple Qualys sensors, including cloud agent to Detect software and hardware end of life, monitor 


gain comprehensive asset inventory. Enrich it with unauthorized and missing required software. 
business context from CMDB sync. 


Discover and Inventory Assets 


Qualys Asset Management begins by identifying and managing assets throughout your 
enterprise architecture. 
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Discover and Inventory @) Detect and Monitor @ Report and Respond 

Use multiple Qualys sensors, including cloud agent to Detect software and hardware end of life, monitor Define alerts, uninstall unauthorized software and 
gain comprehensive asset inventory. Enrich it with unauthorized and missing required software. produce compliance reports. 

business context from CMDB sync. 


Your Asset Inventory At-A-Glance 


Dive into asset inventory to get detailed insights 


en 12.1K 


+ 


Download Cloud Agent 


Supportedos E A © é © = * È 


bo 


217/222 synced inventory data 222 678K 2.88K 


Assets with Agent Software Assets missing Agent 


Total Assets 


GB view Dashboard ©> Tag Your Assets 


On the CSAM home page, you can get a snapshot of your overall environment and 
configure your environment. It’s a useful baseline point to start you on your journey. 


Qualys has various sensor types that collect data for you. 


Cloud Agent 


Qualys Cloud Agents install locally on the host assets they protect, sending all collected 
data to the Qualys Cloud Platform, for analysis. 
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Total Assets 


Download Cloud Agent 
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= Assets with Agent Software 
g5 View Dashboard E: Tag Your Assets 


Agents can be downloaded from the Qualys Cloud Agent application or the GAV / CSAM 
“Home” page. 


Here, you’ll find the same download executables and installation commands, as you 
would within the Qualys Cloud Agent application. 


Download and Install Cloud Agent 


Select the OS and download the agent installer to your local machine. Run the installer on each host from an elevated command prompt 


ST A A © © é 


Windows Linux Linux Linux Linux Mac 
exe (x86_64) rpm (x64) rpm (ARM64) deb (x64) deb (ARM64) pkg (x64) 


D ou, pa 
solaris sotaris 


AIX BSD Solaris Solaris Linux PPC 64 LE Core OS 


«bff .gz (Power5) txz (x64) pkg (x86_64) .pkg (SPARC) rpm (ppc64le) tar.xz (x64) 


Qualys Cloud Agent supports multiple operating systems. For a complete list of 
supported operating systems, see the Cloud Agent Getting Started Guide: 
https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf 


When you deploy agent to your host systems, you get free inventory that will populate 
into GAV / CSAM application. 


For a detailed discussion of Qualys Cloud Agent deployment and configuration, please 
see the “Cloud Agent Self-Paced Training Course” (qualys.com/learning). 


Passive Sensor 


Qualys Passive Sensor operates in “promiscuous” mode, capturing network traffic and 
packets from either a network TAP, or the SPAN port of a network switch. 


Simply deploy passive sensors at strategic network locations, to begin monitoring 
network traffic and conversations. 


Both physical (hardware-based) and virtual sensor appliances are available. 


An important advantage to capturing network traffic, comes from the bonus 
information collected from network conversations (conversations between 
communicating hosts). 


Traffic Details 


May 10, 2019 (10:49) 1 59ue 56mue 


May 20, 2019 (10:49) Total Ingress Total Egress 


Traffic by Family 


al Web Services Client 145.65ME 52.29MB 197.94 MB 


May 20 2019 17:05 192.168.249.103 0.0.0.0 8.55 MB 2.43 MB 10.98 MB 
May 20 2019 17:05 192.168.249.103 0.0.0.0 28.53MB 887.78KB 29.4MB 


P May 13 2019 23:05 192.168.248.157 0.0.0.0 o 2.06 KB 538 B 2.58 KB 
Web Services 202 MB 


Electronic Mail 7 MB 
Unassigned 4MB May 13 2019 23:05 192.168.248.157 0.0.0.0 5.13 MB 1.27 MB 6.4 MB 


May 13 2019 23:05 192.168.248.157 0.0.0.0 5.72 MB 4.27MB 9.99MB 


Other 2MB May 13 2019 23:05 192.168.248.157 0.0.0.0 5.47 MB 1.44MB 6.91 MB 


IBM Systems .. 98 KB May 13 2019 23:05 192.168.248.157 0.0.0.0 398.62KB 369.26KB 767.88 
173 


A passive sensor not only collects the traffic from “managed” company assets, but it also 
sees traffic from other host assets and services that are attempting to communicate 
with your “managed” host assets (including communications coming from unknown or 
“unmanaged” assets). 


Please consult the next topic to learn more about Passive Sensor types and deployment 
scenarios. 


Scanner Appliance 


Any Qualys user with scanning privileges has access to Qualys’ pool of Internet-based 
Scanner Appliances. 


=W Lei LR 


Qualys Hardware-based and Virtual Scanner Appliances can be deployed throughout 
your business or enterprise architecture. 


Qualys Virtual Scanner appliances are available for multiple virtualization platforms: 


Citrix XenServer 

Microsoft Hyper-V 

VMware Workstation, Workstation Player, Fusion 
VMware ESXi, vCenter Server (standard) 
VMware vCenter Server (vApp) 

OpenStack 

Microsoft Azure 

Google Cloud Platform 


For a detailed discussion of Scanner Appliance deployment and usage, please see the 
“Scanning Strategies and Best Practices Self-Paced Training Course” 
(qualys.com/learning). 


Cloud Connector 


Create connectors for your AWS, Google, and Azure accounts. 


as OO A 


Amazon Web Services Google Cloud Microsoft Azure 


Enumerate cloud instances and collect useful metadata such as: 
e Instance or virtual machine ID 
e Location or region 
e External and private IPs 
e Installed software and active services 


e and much more... 


Search Tip: Within the Qualys GAV /CSAM application, use the “inventory.source” 
query token, to quickly find AWS, Azure, and Google instances: 


o AWS-inventory.source: INSTANCE ID 
o Azure—inventory.source: VIRTUAL MACHINE ID 


o Google—inventory.source:GCP_ INSTANCE ID 


Leverage Qualys Cloud Security Assessment (CSA), to identify and correct 
misconfigurations. 


For more information and details on deploying and using Qualys Connectors, see the 
“Cloud Security Assessment and Response Self-Paced Training Course” 
(qualys.com/learning). 


Container Sensor 


Qualys Container Sensor is installed on a Docker host as a container application, right 
alongside other containers. 


Host / VM 


Once installed, CS will assess all new and existing Docker images and containers for 
vulnerabilities (e, Qualys KnowledgeBase). 


z Ga A 
dé CG 2 


General (Host) Registry Build (CI/CD) 


tar.xz tar.xz tar.xz 


Types of Container Sensors: 
e General — Scan container hosts (Docker, cri-o, containerd). 
e Registry — Scan images in public or private registries. 


e CI/CD Pipeline — Scan images within CI/CD pipeline (e.g., Jenkins, Bamboo, etc.). 


For more information and details on deploying and using Qualys Container Sensors, see 
the “Container Security Self-Paced Training Course” (qualys.com/learning). 
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Asset Inventory 


The data collected from the various sensors you have deployed in your environment is 
populated into CSAM, among other Qualys Applications. 


All assets discovered by the various sensors are listed under the Inventory section under 
the Assets tab in the Qualys user interface. 
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Managed Wl Assets EH 


8 34K T TOP OPERATING SYSTEMS CATEGORIES 


Total Assets 


MANUFACTURER Take advantage of the 


Un 


faceted search pane (on the fos sonce 
left) or build custom queries | 7 E 


Updated: Sep 15, 2021 


in the “Search” field dentita e es 


Updated: Sep 15, 2021 


iP [operating System. 
Updated: Sep 15, 2021 


e [ria 
Updated: Sep 15,2021 


QAGENT | Data center 
Updated: Sep 15, 2021 


CSAM provides a powerful search engine that lets you craft simple or advanced queries 
combining multiple asset criteria returning results instantly, so you can find out in 2 
seconds: 

e How many unmanaged devices are in my environment? 

e How many servers are in my environment, and what servers are running an OS 

that its vendor recently stopped supporting? 

e How many loT devices are in my environment? 

e How many databases are running in my datacentres? 

e Which IT assets have a particular piece of software installed? 

e How many Lenovo laptops running the latest version of Windows 10 and located 
in my India office have a particular vulnerability? 
..and some more. 


You can perform searches with a click of your mouse, using the faceted search pane or 
build custom queries using the “Search” field. 


Imagine if you had virtualized hosts but also wanted to see the location of them, you 
could easily use a tag to filter. Or, if you want to know all of your notebooks in a given 
location, you could use tags to help you find them. 
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operatingSystem.category1:Windows and operatingSystem. category] Linus Last 30 Days v 


You can combine query tokens, values, and Boolean operators to create more complex 
search queries. 


=> 3 Last 20 Days v 


How to Search 


The “Help” icon (at the right-side of the “Search” field) provides information, syntax, 
and examples on how to search. 


Navigate to the following URL to view the “Getting Started with CSAM” tutorial: 


https://ior.ad/7Hn1 
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Passive Sensor 


Most organizations focus on collecting inventory and management of KNOWN assets, 
assuming their processes allow them to cover 100% of devices. However not all devices 
can be discovered and managed using a single approach (e.g., agent, remote scanning) 
Passive sensing technology is designed to identify all devices, allowing IT and Security 
teams to discover and remediate coverage gaps. 


With Qualys Network Passive Sensor (aka PS), organizations can get complete discovery 
of all assets (Servers, desktops, printers, smartphones, loT, OT, etc.). 
e The goal of PS is to completely, passively, discover all assets active on 
organizations’ networks. 
e Passive discovery does not generate any traffic on the network, it evaluates 
data flowing on the network. 


Use Cases 


e Discovery of all assets connected to the network to ensure all devices are 
managed appropriately 

e Discovery of loT devices to ensure all devices on the network are identified 

e Discovery of OT devices to ensure OT environment is discovered 

e Discovery of traffic data (Beta feature) to identify unusual traffic patterns 


Availability 


PS can be included in your Qualys subscription with any of the below options: 


e Available standalone (free subscription) 
o Virtual appliances available at no cost 
o Physical appliances need to be purchased 


e Part of CSAM subscription 
o Includes Traffic Analysis (Beta) feature 
o Traffic Analysis needs to be enabled separately 
o Virtual appliances available at no cost 
o Physical appliances need to be purchased 


e Part of VMDR subscription 


o Virtual appliances available at no cost 
o Physical appliance needs to be purchased 
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Physical Appliance 


The physical appliance is available in the following configurations sizes (based on data 
throughput capabilities): 


e 1Gbps: Typically, Passive Sensors with Gigabit interfaces would be sufficient for 
an aggregate traffic not exceeding 900 Mbps for up to 5,000 active assets. 


e 4Gbps: Passive Sensors with 10G interface may be required to be attached to 
discover and profiling up to 10,000 active assets while supporting an aggregate 
traffic throughput of 4 Gbps per appliance. 


e 10Gbps: Passive Sensors with multiple 10G interfaces may be required to be 
attached to discover and profiling up to 20,000 active assets while supporting an 
aggregate traffic throughput of 10 Gbps per appliance. 


PS Physical Appliance 
Sniffing 
Interface 


Mirrored Traffic 
from Switch 


The Management Interface of the sensor appliance is assigned an IP address and must 
successfully connect to the Qualys Cloud Platform. 


The Sniffing Interface is not assigned an IP address and receives traffic from a network 
TAP or the SPAN port of a network switch. 


A personalization code is used to bind the appliance to your subscription in the same 
way a scanner appliance is deployed. 


Please consult the Physical PS appliance User Guide for more information on 
configuration requirements and usage: 


Virtual Appliance 
e Available as Hyper-V or VMware images 
e Able to scale up/down throughput based on virtual machine configuration 


14 


vmware 


PS Virtual Appliance 
D 


Momt Sniffing 
Interface Interfaco 


ës dëi 


Mirrored Traffic 


from Switch Physical 


Interfaces 


Cloud 


When you deploy from the virtual perspective, the appliance gets deployed ona 
VMware ESXi / Microsoft Hyper-V Server. 


There are two interfaces, one for management, one for “mirrored” traffic. 


The mirrored/sniffing traffic port gets connected to your switch. This is what is watching 
the traffic. This doesn’t get an IP. 


Management traffic port is what sends the data back to the Qualys Platform. This gets 
an IP. 


A personalization code is used to bind the appliance to your subscription in the same 
way a scanner appliance is deployed. 


Please consult the Virtual PS appliance User Guide for more information on resource 
requirements, configuration, and usage: 
https://www.qualys.com/docs/qualys-network-passive-sensor-virtual-appliance-user- 


Navigate to the following URL to view the “Passive Sensor Deployment” tutorial: 


https://ior.ad/7OZM 


Deployment Scenarios 


Enterprises that use the Qualys Network Passive Sensors to monitor their networks have 
to feed a copy of their network traffic to the sensor. This can be accomplished by 
tapping into their network at an appropriate choke point using port mirroring. There 
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may be different types of network environments and topologies where it may or may 
not be possible to deploy the passive sensor at the same location as the tap point. 


Based on these choices, different types of port mirroring options must be exercised: 


1. Local SPAN 
Switch Port Analyzer (SPAN) is an efficient, high performance traffic monitoring 
system. It mirrors traffic from one or more interfaces or VLAN to one or more 
interfaces on the same switch. This method is also called as Local SPAN. In this 
method appliance is connected to the switch at the same location as the switch 
and can be connected directly to one of the switch ports 


2. RSPAN 
If your network has many Layer 2 switches then it may not be possible to do 
local mirroring on each Layer 2 switch and deploy multiple passive sensors 
connecting to SPAN port of each Layer 2 switch. To handle this situation, you 
need to use Remote Switch Port Analyzer (RSPAN) method to centralize the 
mirror traffic from various Layer 2 switches. RSPAN provides remote monitoring 
traffic from source ports distributed over multiple switches. It supports source 
ports, source VLANs, and destination ports on different switches. 


3. ERSPAN 
Some enterprises may have a requirement to passively monitor their networks, 
including those remotely located, and it may not be possible to install a sensor in 
each of the remote locations. To monitor traffic across a WAN or different 
networks, you can use Encapsulated Remote Switch Port Analyzer (ERSPAN). 


The ERSPAN feature supports source ports, source VLANs, and destination ports 
on different switches, which provides remote monitoring of multiple switches 
across your network. 


ERSPAN allows mirrored traffic to be encapsulated and transported over L3 
network to a remote destination. This requires that each location have switches 
having ERSPAN capability and the switches be configured to tunnel mirror traffic 
to a destination L3 switch/router interface. 


Please consult the PS Deployment Guide for more information deployment scenarios and 


configuration steps: 
https://www.qualys.com/docs/qualys-network-passive-sensor-deployment-guide.pdf 
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Business Context from CMDB Sync 


Organizations use ServiceNow to define, structure, and automate the flow of work, 
removing dependencies on email and spreadsheets to transform the delivery and 
management of services for the enterprise. 


ServiceNow stores information about all technical services used in an enterprise in a 
Configuration Management Database or CMDB. Within the CMDB, the support 
information for each service offering is stored in a Configuration Item (Cl) specific to 
that service. This information includes the service name and description, assignment 
groups, change management approvers and service roles as well as other business 
information directly related to the service support. 


Qualys CMDB Sync synchronizes Qualys IT asset discovery and classification with the 
ServiceNow Configuration Management Database (CMDB) system. Qualys CMDB Sync 
automatically updates the ServiceNow CMDB with any assets discovered by Qualys and 
with up-to-date information on existing assets, giving ServiceNow users full visibility of 
their global IT assets on a continuous basis. Conversely, if an asset is added to the 
ServiceNow CMDB, Qualys CMDB Sync will add it to the Qualys asset inventory. 


Integration Methods 


There are 2 different Qualys apps for ServiceNow CMDB Sync: 
e Qualys ServiceNow CMDB Sync App 
e Qualys ServiceNow CMDB Sync Service Graph Connector App 


Please consult the following link for a detailed description of the Qualys CMDB Sync App: 
https://www.qualys.com/docs/qualys-cmdb-sync-v2.pdf 


The Qualys CMDB Sync Service Graph Connector App is intended for Service Now 
‘Orlando’ and later versions. 


Please consult the following link for a detailed description of the Qualys CMDB Sync 
Service Graph Connector App: 
https://www.qualys.com/docs/qualys-asset-inventory-cmdb-sync-ire.pdf 


For both integration types, you must have a valid Qualys account subscription with API 
Access and access to following modules: 
- Qualys Subscription with CSAM (Qualys to ServiceNow Sync) 
- CMDB Sync enabled within your Qualys subscription (Qualys to ServiceNow Sync) 
- Vulnerability Management (ServiceNow to Qualys Sync) 
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In addition to the above prerequisites, additional plugins must be installed in 
ServiceNow if using the Qualys CMDB Sync Service Graph Connector App: 


Please consult the ServiceNow documentation for detailed installation steps for the 


above plugins: https://docs.servicenow.com/bundle/orlando-servicenow- 


latform/page/product/configuration- 


management/concept/c_CMDBldentifyandReconcile.html 


Business Information Sync 


Asset metadata can be synchronized for assets that exist in both ServiceNow and 
Qualys. ServiceNow stores business information including owners, environment, 
business applications, etc. You can enrich Qualys inventory by importing this business 
context. The list of business attributes that can be imported in Qualys includes: 
o Status (e.g., in-repair, lost/stolen) 
Organization (Company, Business Unit, Department) 
Owned By - Who owns the asset 
Managed By - Responsible person 
Supported By — Supporting person 
Environment (e.g., Prod/Lab/Test) 
Assigned Location (Country, City) 
Business App/Service name 
Business Criticality 


O O O O OOOO 


This information helps security teams to better understand the environment, organize 
scans, prioritize assets and vulnerabilities and provide accurate scope to remediation 
teams. 


This business information can be accessed from the CSAM user interface, through 
search queries and using Qualys APIs. 


Navigate to the following URL to view the “Business Context from CMDB Sync” 
tutorial: 


https://ior.ad/7MPL 
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Hardware, Software and OS Classification 


For IT organizations to make data-powered decisions and drive processes, such data 
must be relevant, clean, structured and often enriched with additional data points. 


CSAM uses the raw data provided by the sensors and normalizes and categorizes it into 
standardized names and structures. It then enriches this data with software and 
hardware lifecycles, software type (commercial or open-source), etc. 


Hardware Classification 


CSAM categorizes hardware assets based on an internally developed classification/ 
categorization system. The categorization, which gives the user an idea about the 
primary function of the product, has been derived from standard industry terms as well 
as other well-known industry classification systems. 


© Qualys Bud PAON 


CyberSecurity Asset Management HOME DASHBOARD INVENTORY TAGS 


Managed Assets Software 


Q 


A 5 2 K TOP HARDWARE CATEGORIES 


Total Assets 


Computers Virtualized Unidentified Networking De... Network Secur... 


MANUFACTURER Group Assets by... V 
Unidentified 


In order to see assets in CSAM, your authenticated scan or Cloud Agent scan needs to 
have run and completed successfully. 


The Inventory > Assets tab gives you an overview of assets in your organization. 
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Software 


Q, Search for assets... 


TOP HARDWARE CATEGORIES 


Virtualized: 1.37K 


1.5K 
Computers Unidentified Networking De... Network Secur... 


Here you can view bar charts for the top hardware categories. Clicking a specific bar 
from the chart allows you to view the list of assets for the specific category. 


Q Qualys. Cloud Platform 


CyberSecurity Asset Management v HOME DASHBOARD INVENTORY TAGS NETWORK 


WIEN Assets TEL 


1 z 3 7 K *1 TOP HARDWARE SUBCATEGORIES 


Total Assets y 


Virtual Machine Cloud Instance 


MANUFACTURER Actic ) v Group Assets by... V 


VMware 


Google CRITICALITY © OPERATING SYSTEM HARDWARE 
Amazon Web Ser... 
Microsoft ` [3] an The CentOS Project CentOS 7 VMware 


Unidentified 1804 VMware Virtual Pla 
Virtual Machine 


A query is automatically populated in the search bar based on the click you make. You 
can also use the faceted search on the left which allows you to filter this data further by 
tag and manufacturer. 


Imagine if you had virtualized hosts but also wanted to see the location of them, you 
could easily use a tag to filter. Or, if you want to know all of your notebooks in a given 
location, you could use tags to help you find them. CSAM categorizes your hardware in 
this way. 
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Assets Software 


Q 


TOP HARDWARE CATEGORIES 


Computers Virtualized Unidentified 


Group Assets by... V az] 


Operating System > CRITICALITY © 


RI 
AWS > 


Manufacturer 


Azure > Product 


1 H 


4rurva:vv:vvno 


GCP H Model 


CSAM provides a structured hierarchy for hardware that allows filtering, grouping and 
aggregation at different granularity levels (e.g. Category, Manufacturer, Product, and 
Model). If you would like to identify all the hardware categories in your account, 
navigate to the "Assets" tab, click "Group Assets by.." select Hardware and then 
Category. 


Assets Software 


Q Last 30 Days 


TOP HARDWARE CATEGORIES TOP OPERATING SYSTEMS CATEGORIES 


Computers Virtualized Unidentified Networking De, Network Secur- Windows All instances of the Le 
same category 


Group Assets by: Hardware Category X V of 22 


CATEGORY ASSETS 


E ` Level 2 Category TEK 


1.04K 
974 


Level 1 Category 


CSAM follows a two-level classification system — namely Level 1 Category and Level 2 
Category 


- Level 1 category: Major/ broad category to which the hardware asset belongs. 
- Level 2 category: Subcategory, i.e specific to the product’s primary function. 


Examples: 
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a) "Lenovo ThinkPad P50 20ENOO1LUS " -> Computers / Notebook > Level 1: 
Computers, Level 2: Notebook 

b) “Fuji Xerox ApeosPort-IV C7780” > Printers / Multi-Function Printer (MFP) > Level 1: 
Printers, Level 2: Multi-Function Printer (MFP) 


CSAM is capable of categorising hardware assets related to IT, OT, IOT/ IIOT. There are 
currently 19 Level 1 categories and 90 Level 2 categories for classifying hardware assets 
in CSAM. 
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Managed Assets EE 


hardware.category: ‘Virtualized / Virtual Machine‘ 
1 d 04 K TOP HARDWARE CATEGORIES TOP OPERATING SYSTE 


Total Assets 


MANUFACTURER Group Assets by... V 
VMware 


Unidentified CRITICALITY © OPERATING SYSTEM HARDWARE 
Microsoft 
[4] BS Microsoft Windows 7 VMware 
Ultimate6.1 VMware Virtual Platform 
Virtual Machine 


Clicking on the asset count for any of the category will show a filtered list of all matching 
assets in the resulting page 


Navigate to the following URL to view the “Hardware Classification” tutorial: 


http://ior.ad/7OeV 


Operating System Classification 


Similar to hardware classification, normalized data in CSAM has operating systems 
categorized based on an internally developed classification/ categorization system. 
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TOP OPERATING SYSTEMS CATEGORIES 


Windows Linux Unidentified Network Oper... 


It follows a two-level classification system — namely Level 1 Category and Level 2 
Category. 
- Level 1 Category: Indicates the operating system family. 
- Level 2 Category: Indicates whether the operating system is for client, server or 
virtualized environments. 


Example: 

a) "Apple macOS High Sierra" > Mac / Client > Level 1: Mac, Level 2: Client 
b) "VMware ESXi" > Virtualization / Hypervisor Type-1 (Bare Metal) > Level 1: 
Virtualization, Level 2: Hypervisor Type-1 (Bare Metal) 


There are currently 13 Level 1 categories and 5 Level 2 categories for classifying 
operating systems. 


Group Assets by... V Saal 


Operating System > 
Category 


Hardware > Publisher 


Name 
Market Version 
Edition 
Account Username 
BIOS Description 


Cloud Provider 


DNS Address 


You can group assets by their OS, OS category levels, publisher, name, architecture, 
market version, update level and edition. 


Navigate to the following URL to view the “OS Classification” tutorial: 


https://ior.ad/7Of3 
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Software Classification 


Normalized data in CSAM also has software applications categorized based on an 
internally developed classification/ categorization system. 


It follows a two-level classification system similar to hardware and OS. 
- Level 1 Category: Major or broad category to which the software application 
belongs. 
- Level 2 Category: Subcategory, i.e. specific to the product's core function. 


Examples: 

a) McAfee Endpoint Security Platform > Security / Endpoint Protection > Level 1: 
Security, Level 2: Endpoint Protection 

b) Oracle MySQL > Databases / RDBMS > Level 1: Databases, Level 2: RDBMS 


Few other examples of categories: 

Application Development / Framework 
Security / Endpoint Management and Security 
Application Development / Development Tool 
Network Application / Internet Browser 
Storage / Backup and Recovery etc. 


There are currently 29 Level 1 categories and 149 Level 2 categories for classifying 
software applications. Qualys is continuously updating its taxonomy for classifying more 


diverse range of software products, so these numbers are subject to change. 


The Inventory > Software tab gives you an overview of all software in your organization. 


Navigate to the following URL to view the “Software Classification” tutorial: 


https://ior.ad/7Ofe 


Software License Type 


The software license category indicates the type of license under which the software 
product is available, followed by the particular license model the product follows. 


There are two types of licenses that exist: Commercial and Open Source. 


1. Commercial : The product is available under proprietary license i.e the publisher 
retains intellectual property rights such as copyright of the source code 
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Examples: 


a) "Microsoft Edge" Licensing: Commercial / Free 
b) "Adobe Photoshop" Licensing: Commercial / Licensed 


2. Open Source: Open source software is distributed with source code that may be 
freely accessed, used, modified and shared by its users. However, terms and 
conditions for sharing and modifying the source code vary by the type of open 
source license used. The Second value denotes the model of the Open Source 
License that the software follows. 


Examples: 
a) "MongoDB" Licensing: Open Source / GNU Affero General Public License v3 
(AGPL-3.0) 
b) "PHP" Licensing: Open Source / PHP License (PHP-3.0) 
CSAM currently has coverage of around 75 unique Open Source license models captured 


till date. 


Navigate to the following URL to view the “Software-Commercial and EOL” tutorial: 


https://ior.ad/7Ofl 
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Asset Tags 


There are many ways to organize the host assets within your Qualys subscription, 
including geographic location, service or function, device type, operating system, asset 
owner, IP address range (netblock), and more. 


Although the methods listed above are common, you may choose other grouping or 
labelling methods that are unique to your company or organization. 


The proper use of Asset Tags will allow you to effectively organize and manage host 
assets. Asset Tags can be configured to accomplish numerous objectives, such as: 


e Creating targets for scanning, reporting, and remediation. 
e Assigning access privileges to user accounts. 
e Host identification and inventory management. 


One thing to keep in mind is having a naming convention for every Asset Tag. This will 
allow you to query your assets in a more structured way without requiring that you 
memorize every tag you have created. 


Asset Tags 


Asset Tags provide a flexible, scalable, and dynamic solution to help you label and 
identify hosts. Asset tags are continuously updated, when new data and information is 
provided by Qualys Sensors, including Scanner Appliances and Cloud Agents. 

CSAM is a core component of the Qualys Cloud Platform and it provides a centralized 
location for creating and managing Asset Tags. 


Create Hierarchy 


Asset Tags are organized into hierarchical structures or parent/child relationships. Some 
tags serve both a Parent and Child role. 
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l Ve Parent/Root 
[Linux Child 
[Windows Parent/Child 

| Windows Server 


| Windows Client 


Many tag hierarchies begin with a static “parent” that serves as a “placeholder” for its 
dynamic “child” tags. Tags located at higher levels of the hierarchy reflect a broader 
scope of host assets, while tags at lower levels of each hierarchy represent a more finite 
set of assets. A single host asset can have multiple tags, simultaneously. 


Dynamic Rule-Based Tags 


Dynamic Asset Tags are created using various types of Asset Tag Rule Engines. These 
tags are automatically updated as new information is received from Qualys Sensors. The 
“Asset Inventory” rule engine allows you to build tags using the Qualys Query Language 
and various query tokens, including the hardware, OS, and software category tokens. 


Asset Name Contains 
Asset Inventory 
IP Address In Range(s) 


Choose from various 


IP Address In Range(s) + Network(s) 


types of Asset Tag Rule 
Engines. 


Open Ports 
Cloud Asset Search 
Vuln(QID) Exist 


Groovy Scriptlet 


Operating System Tags 

Often, you'll want to build reports or create widgets and dashboards by operating 
system. By creating a tagging structure which will automatically tag your hosts, you’ll be 
able to easily report, filter, and query by operating system. 
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The “Asset Inventory” rule engine and the “operatingSystem” query token provide a 
convenient way to label host by their OS. 


Tag Type 
Static @ Dynamic 


Tag Rules 


Rule * 


Asset Inventory 


Query * 
operatingSystem.category1:windows 


In the above illustration, the Asset Inventory query token operatingSystem.category1 is 
set to filter out all hosts with the Windows OS. 


When testing your queries, hosts that meet the query conditions(s) will Pass, while all 
other hosts will Fail. 


Rule * 
Asset Inventory 
Query * 
operatingSystem.category1:windows 
Test Rule Applicability on Selected Assets 
Add | Remove All 
demo17.s02.sjc01.qualys.com Pass 
demo21.s02.sjc01.qualys.com Pass 
demo20.s02.sjc01.qualys.com [ Fail 
demo15.s02.sjc01.qualys.com Fail 
demo14.s02.sjc01.qualys.com Fail 
demo13.s02.sjc01.qualys.com Fail 
demo19.s02.sjc01.qualys.com Pass 
demo18.s02.sjc01.qualys.com Pass 
Werer E of int mahn nam Dane 


Using the “Evaluate Rule on Creation option (while building or editing a tag) will add the 
tag to host that have already been scanned. 


Evaluate Rule on Creation 


You have already scanned a number of assets and they need to be re-evaluated for tag assignment 
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When you create a dynamic tag, it is applied to all scanned hosts that match the rule 
you defined. You can filter the assets list to show only those that match your new tag 
rule. 


When you create static tags, you need to apply it manually to your asset from the 
Inventory tab. 


Navigate to the following URL to view the “Dynamic Rule-Based Tags” tutorial: 


https://ior.ad/7O2M 


Example Queries 


To build a dynamic tag for Relational Database Management Systems, use the “Asset 
Inventory” rule engine with the following query: 


software: (category:Databases / RDBMS) 


The first value (Databases) is separated from the second value (RDBMS) by the slash 
(“/”) symbol. 


To build the same tag exclusively for “Server” host assets, use the “Asset Inventory” rule 
engine with this modified query: 


software: (category:Databases / RDBMS) and 
operatingSystem.category2:server 


The Boolean operator “AND” combines the query from the previous example, with an 
additional query token/condition. Boolean operators AND, OR and NOT can be 
leveraged to build accurate and effective queries. 


Recommendation 


Use the discussion on the Qualys Community to build your Asset Group and Asset Tags 
for your own organization. You can practice in the trial account you are using, but 
building a good asset management system of well-formed tags and Asset Groups are 
critical to having a functional security program and clean implementation in Qualys. 
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Here is a checklist of steps to take before you start scanning and deploying your agents. 
This will save you time when it comes time to building your own scans, reports, 
dashboards, and queries. 


Checklist: 
e Build Asset Groups based on the physical locations in your organization 


e Create Asset Tagging hierarchies for the following (see the discussion link above 
for how to build them): 


o Operating System 

= All different operating systems in your environment 
o Host Type 

= Cisco devices 


= Workstations 


= Servers 
= Printers 
= Etc. 


o Authentication Results 
= Devices where sudo isn’t being used 
= Where is NTLM v1 used? 
= Where is NTLM v2 used? 
= Where is Kerberos used? 
o Informational 
= Firewall detected 
= Sticky keys enabled 
= Is this host configured via DHCP? 
= Do we think there was interference when we ran our scan? 
= Is the host stale ( or hasn’t been scanned in X days)? 
o Registry Settings 
= Critical Registry access denied 


= Hardware info not accessible 
30 


= Installed Patches not accessible 
= Installed software not accessible 
= System info not accessible 
o Agentless Tracking 
= Agentless Tracking Errors 
= Agentless Tracking used 
o Web Servers 
=" IIS 
=" Apache 
= Web Server stopped responding 
o Cloud-Based Tags 
= Running assets 
= Terminated assets 


= Stopped assets 
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Asset Criticality Score 


With GAV/CSAM, you can apply tags manually or configure rules for automatic 
classification of your assets in logical, hierarchical, business-contextual groups. And you 
can assign Asset Criticality through tags to establish asset priorities. 


Asset Tag Criticality 


You can set the asset criticality score between 1 to 5. Score 1 being the lowest criticality 
and 5 being the highest criticality assigned to an asset, when selected. 


Create New Tag 


Some copy explaining about this will come here 


Basic Details 
Some text explaining this will come here 


Name 


Network Security Devices 


Mark this as favourite 


Description 


250/250 characters remaining 


Asset Criticality Score Te 


This score represents the criticality of the asset to your business infrastructure. 


Here, score 1 being the lowest criticality and 5 being the highest criticality assigned to an asset, when selected. 
Please note that this asset criticality score will be applied to all assets belonging to child tags if this is a parent tag. 


4 5 


Types of Tags where user can enable and assign Criticality Score or disable Criticality 
Score : 
e Dynamic tag 
e Static Tag 
e IFA(Internet facing asset tag) - The only system tag for which we can add asset 
criticality score. 
e Asset groups 


Asset Criticality 


CSAM automatically calculates the Asset Criticality Score of an asset based on highest 
aggregated criticality. 
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Example: Asset A1 has three tags attached with Criticality Scores as listed in the table. 


Tag Criticality Score 
T1 2 

T2 4 

T3 *Null 


So the Criticality Score for this asset is 4. 


*Note that tag criticality score for system tags will always be Null. We cannot assign any 
criticality to them. Example : Cloud agent , Business Unit etc. 


Criticality for Asset Group Tags 


Assets that are part of the current Business Criticality of Asset Groups in Vulnerability 
Management are mapped to their respective criticality levels. 


Following mapping is used 


Critical Business Group - Level 5 ACS 
High Business Group - Level 4 ACS 
Medium Business Group - Level 3 ACS 
Minor Business Group - Level 2 ACS 
Low Business Group - Level 1 ACS 


We WNP 


ACS - Asset Criticality Score 


Inventory Asset list Page 


Criticality Score calculation for asset can be seen on the click of Score in the Inventory 
section. 
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CyberSecurity Asset Management v HOME DASHBOARD INVENTORY TAGS 


Managed Assets ' Asset Criticality Score 


The highest score assigned to the asset via multiple tags is the asset criticality score of the asset. 


Q Search| Below are various scores assigned to the asset through multiple tags - 
Calculated as of Sep 17 2021 


1 2 5 1 K TOP HARDWARE G) ASSET TAGS ASSET CRITICALITY SCORE 


Total Assets ‘| 
3.5K | Type: Servers 


Uni 


| UnAuthorized... 
MANUFACTURER ei Aepd 
Unidentified 


DER HARDWARE 
Google d 


| Webserver 


Amazon Web Ser... 


EZ Microsoft Windows Server ... Amazon Web Ser 


Microsoft 3 
{c58:5f... | V | Datacenter6.1 SP1 64-Bit Cloud Instance 


37 more ¥ 


Default criticality score for asset is 2 (If there is no tag having Criticality Score attached 
to it.) 
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Managed Assets EI 


1 2 5 1 K Asset Criticality Score 


The highest score assigned to the asset via multiple tags is the asset criticality score of the asset. 
Total Assets 


@ Default Criticality Score Applied 


Associated tags do not have any criticality score assigned. 


MANUFACTURER 
Unidentified j In order to change criticality score please assign the criticality score to at least one of the 
associated tags. 
ma HARDWARE 
Google 
Amazon Web Ser... [ 3 @ Apple macOS Catalina VMware 


Microsoft ; EH Ww 10.15.1 VMware Virtual H 


In case the criticality score assigned to the tag is updated, like from 4 to 5, the Criticality 
Score for associated assets will be updated following the subsequent scan or in the 

event of a modification to the existing tag rule or when a new tag is assigned to an asset 
or alternately, when an existing tag is removed from the asset and on tag re-evaluation. 


Navigate to the following URL to view the “Asset Criticality Score” tutorial: 


https://ior.ad/7MPK 
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Product Lifecycle Management 


End-of-life and End-of-support software and obsolete hardware pose a risk to 
organizations. Not only organizations are unable to get support that can incur into 
extended downtimes and technical issues that lead into decreased performance and 
productivity, but it can also affect internal and external compliance. 
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CyberSecurity Asset Management 


Hello Vikram Kamat - 


Welcome to CyberSecurity Asset Management 


Identify all systems comprehensively, detect at-risk assets, and respond with appropriate actions to mitigate risk. 


= Discover and In 


Use multiple Quah 
asset inventory. Ei 


tory @) Detect and Monitor @ Report and Respond 
iding cloud agent to gain comprehensive Detect software and hardware end of life, monitor unauthorized and Define alerts, uninstall unauthorized software and produce com 
context from CMDB syne. missing required software. reports. 


Critical Assets Product Lifecycle Software Authorizations 
3.58K 8.86K 61 
a © 
l.) Unauthorized 
wo n ei @3 
4 27K g © e Authorized Need Review 
Assets with Criticality 5 and 4 
Define and track security context for most critical Identify unauthorized software installations in your 
le Track software and hardware lifecycle retated Steg 
issues. 

Manage Manage Rules 


Together with a comprehensive IT reference catalog, and the normalization of discovery 
data to it, CSAM provides a clean and categorized asset inventory that significantly 
increases the fidelity on which organizations can make decisions about their inventory. 


Hardware Lifecycle Management 


CSAM provides hardware vendor lifecycle dates and support details. CSAM currently has 
lifecycle information for over 100 hardware manufacturers and over 45,000 models. 
And these numbers are subject to change as Qualys continuously adds new hardware 
manufacturers, products and models to its catalog. 
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ËIEIGd Assets IO 


hardware. lifecycle 


1 4 hardware.lifecycle.eos 


hardware.lifecycle.ga 


Total Assets hardware.lifecycle.intro 


hardware.lifecycle.obs 


hardware.lifecycle.stage 


You can use multiple search tokens in CSAM to quickly filter assets based on their 
hardware lifecycle information. 


<— Asset Details: DES PST erent 


INVENTORY : 
System Information 
Asset Summary 
System Information SPECIFICATIONS SERVICES USERS 
Network information 
Open Ports 
REENA Operating System Hardware 
Traffic Summary Name Category 
Microsoft Windows 10 Pro (20H2 Build 19042 64-Bit) Mobile / Tablet 
Business Information 
Installed Date Model 
Sep 18, 2020 01:48 am Microsoft Surface Pro 
v 
GM Lifecycle Information Lifecycle Information 
Vulnerabilities Generally Available End-of-Service (Unsupported) 
VMOR Prioritization Oct 20 2020 May 10 2022 May 10 2022 Feb 09 2013 - Apr 11 2017 
Patch Management < 8 bw S 8 
Generally Available End-of-Life End-of-Service Generally Available End-of-Service 
EDR 


You can review detailed hardware lifecycle information to identify assets requiring 
replacement or upgrade. 


Using this information, organizations can analyze how end-of-life and end-of support 
may affect their current assets and plan accordingly (e.g. technology refreshes, 
extended warranty and support, etc.) 


Software Lifecycle Management 


CSAM also provides software vendor lifecycle dates and support details, so that 
organizations can analyze how end-of-life and end-of-support software on their 
environment may pose risk and potential productivity impact (e.g. lack of patches, 
incompatibility with future OS/applications, etc.) 
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Ss 


Assets Software 


X software 


21.5K ge 


d 
software:(lifecycle.eos 

d 

9 


Total Software software: (lifecycle.ga 


software: (lifecycle.stage 


You can use multiple search tokens in CSAM to quickly filter assets and software based 
on the software lifecycle information. 


@ Qualys. Cloud Platform 
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—! 


Managed “Assets 


XX software: (lifecycle.eol: [now ... now+3M]) 


1 8 0 TOP SOFTWARE CATEGORIES TOP SOFTWARE PUBLISHERS 


Total Software E 
E i è — 


Application De. Networking Network Appli. Virtualization Digital Content 


LICENSE Group Software by... 7 ] | Type: Application «7 | 1-50 of 68 


Open Source 
Gen RELEASE CATEGORY LICENSE LIFECYCLE INSTANCES 


OpenBSD OpenSSH Server Networking Open Source GA: Oct 03 2017 (estimated) 
PLATFORM 7.6p1 Access Software BSD 2-Clause License (FreeBSD/Simplified) EOL: Nov 03 2021 (estimated) 
DE? 
32-Bit OpenBSD OpenSSH Client Networking Open Source GA: Oct 03 2017 (estimated) 
7.6p1 Access Software BSD 2-Clause License (FreeBSD/Simplified) EOL: Nov 03 2021 (estimated) 


LIFECYCLE Python Application Development Open Source GA: Dec 23 2016 
GA 3.6.9 Programming Languages Python License (Python-2.0) EOL: Dec 23 2021 


AT&T graphviz Digital Content Open Source GA: Dec 20 2016 (estimated) 


END OF LIFE 2.40.1 Graphic and Image Eclipse Public License 2.0 (EPL-2.0) EOL: Dec 20 2021 (estimated) 


EOL within 3 mon. 


You can find out what software/OS is end-of-life or end-of-support now and within a 
future timeframe, so that you can assess impact and plan proper remediation (e.g. 
technology refresh, OS compatibly checks, budgeting, etc.) 


This gives IT teams some notice on when software updates are needed. You can also 
search on end-of-support. 


Navigate to the following URL to view the “Product Lifecycle Management” tutorial: 


https://ior.ad/7MPM 
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Software Authorization 


Unauthorized software is a big problem for many organizations. Any software that is not 
authorized is likely unmanaged without proper patching, updates, configurations, and 
security protocols. Attackers are constantly looking for vulnerable targets. Unauthorized 
software increases the risk of outsiders gaining access to sensitive data. 


This capability, included with CSAM: 

e Provides a key NIST requirement to help organizations automate tracking and 
alerting of unauthorized software. 

e Leverages a well-structured software catalog (with normalization & 
categorization) to deliver this capability. 

e Enables organizations to define unauthorized & authorized software lists using 
rules 

e Enables organizations to track, monitor and report on authorized and 
unauthorized software in the inventory. 


Create Rules 


Rules help you to track and report installations of authorized and unauthorized software 
based on user defined lists. 
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Software Rules 


Rules can be configured for a subset of devices on the basis of tags. 


< Create New Rule 


STEPS 2/4 
Select Assets 
Basic Information Include or exclude assets with the tags selected 
1 Select Assets 
Include hosts having the selected tags: Any v Remove All @ 


3 Select Software 


A Review and Confirm [Database Server x | 


Exclude hosts for the tags 


Exclude hosts having the selected tags: Any v Remove All @ 


| Passive Sensor x 
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Rules are designed for specific groups of assets. For example, while browsers are 
commonly authorized for use on desktop and laptop systems, they add greater risk to a 
host and should NOT be authorized for production servers. 


Asset may be associated with multiple rules. 
You can create rules to define the following software authorization: 


1. Authorized 
2. Unauthorized 
3. Needs review 


Select Software 


Select the software to be included in the rule 


Add Authorized Software @ 


H) 
7 Select applications, releases, publishers or categories that are explicitly authorized in this environment. 


Add Unauthorized Software 8 


Select applications, releases, publishers or categories that are explicitly unauthorized in this environment. 


Needs Review ð 


Select applications, releases, publishers or categories that needs to be reviewed before marking as Authorized or D 
Unauthorized. 


Software Version/Update Criteria 


Rules support criteria for software versions and updates. 


Select Software 


Select the software to be included in the rule 


Basic Information 
Select Assets 
Select Software 


Add Authorized Software (+) 


Review and Confirm 
0 Software selected 


PRODUCT PUBLISHER CATEGORY CRITERIA VERSIONS/UPDATES 


SQL Server Data... Microsoft Databases / RDBMS Above - Version Modify K x 


Oracle Database Oracle Databases / RDBMS In Between - Version x 
Modify 


Cloud Agent Qualys Security / Endpoint Managem...) Above - Update Modify x 


Each product can be configured to match against a specific Version or Version Updates 
(Release) 
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Modify Versions/Updates Scope 


Change the version to be included in the rule 


Universal Forwarder 


Data Management and Quality / Data Integration 


® Version Update 


Criteria 


Specific Versions 
In Between Versions 
Above 


Below 


Further, a user can configure rule matching under following categories for a single 
product: 


o Any Version (default setting) 

Will apply the rule to all versions of the selected product 
o Specific Versions 

Will apply rule to the selected subset of product's version 
o In Between Versions 


Will apply rule to versions of the product which have order between than the 
two selected versions. Please note that the selected versions are excluded in 
the matching criteria 


o Above 


Will apply rule to versions of the product which have version greater than the 
selected version. Please note that the selected version is excluded in the 
matching criteria 


o Below 


Will apply rule to versions of the product which have version less than the 
selected version. Please note that the selected version is excluded in the 
matching criteria 


Rule Processing Workflow 


An asset qualifies for rules, if: 
e Ithas tags 
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e It has software 
e It has matching rules based on inclusion and exclusion tags 


For a newly created asset, software authorization rule won't be applied to the asset 
because tag evaluation happens after the asset creation. In subsequent scan, the 
software authorization rule will be applied to the asset. 


If an asset is qualifies for rule processing, we match each software on such an asset 
against the software configured in each category for the asset. If there is a match: 


e We will compare the matching product's version and see if it applies based on 
the set version/update criteria AND utilizing the rule order attribute. 
e If the criteria results are true, an authorization flag will be set for the software 


© Qualys Platform 
HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 
Rule Processing Order — 


ORDER NUMBER RULE STATUS SOFTWARE TAGS 


Database Servers Enabled 27 | Database Server 
Software Policy for Database Servers 


Web Server Enabled | Webserver 
Software Policy for Web Servers 


Data Center Server Enabled | Type: Servers 
Software Policy for All Servers 


Clients Enabled | Type: clients 
Software Policy for Client OS 


Rules are applied on the basis of rule order precedence. 


We will start matching from highest priority first, and skip software which has already 
been categorized for the given asset, as we go down the order. 


For example, if Bit Torrent software is marked "Unauthorized" in a rule with Order 
Number 1 and "Authorized" in another rule with Order Number 2, then that software 
will set as "Unauthorized" as it is processed by the first rule which has the higher 
priority. 


Navigate to the following URL to view the “Software Authorization from Rules Tab” 
tutorial: 


https://ior.ad/7MPJ 
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Software Inventory 


The Inventory -> Software tab gives an overview of the software on the assets in your 
organization, such as software license, platform, lifecycle related information, end of life 
details of a software, authorized/unauthorized software, etc. 


© Qualys oud Platform Your trial for thi 


CyberSecurity Asset Management ‘vy TRIAL HOME DASHBOARD INVENTORY TAGS RULES RESPONSES REPORTS 
—— 


Managed TEEN Software 


Q 


84 TOP SOFTWARE CATEGORIES TOP SOFTWARE PUBLISHERS 


Total Software 
` wem = wem —_ Se 


Application De. Network Appli. Networking Auxiliary Soft. Security OpenBSD 


LICENSE Group Software by... v Type: Application v 


Open Source 
RELEASE CATEGORY LICENSE LIFECYCLE 


Apache HTTP Server Network Application Open Source Not Applicable 
PLATFORM Web Servers Apache License 2.0 (Apache-2.0) 


Commercial 


64-Bit Apache H Network Application Open Source EOL: Jun 30 2017 
32-Bit 2 2215 Quick Actions WV | Web Servers Apache License 2.0 (Apache-2.0) EOS: Jan 01 2018 


LIFECYCLE Apache T | View Authorization Rule Network Application Open Source EOL: Dec 31 2016 
6.0.24 Web Servers Apache License 2.0 (Apache-2.0) EOS: Dec 31 2016 
Beta Add To Authorization Rule 
GA Bruce All Auxiliary Software Open Source EOL: Aug 15 2012 (estimated) 
EOL 5.38 Diagnostic and Optimization GNU General Public License (GPL) EOS: Sep 15 2015 (estimated) 


You can add a particular software to an authorization rule and view the authorization 
rule associated with the software. 


To add a software to the authorization rule, click Add To Authorization Rule from 
the Quick Actions menu. 


Add Software to Authorization Rule 


Track the software product as authorized/unauthorized 


Smartmontools 
Auxiliary Software / Diagnostic and Optimization 
@ Entire Product 


Authorization * 


Authorize 
Authorize 


Unauthorize RULE STATUS TAGS 


Needs Review Web Server Enabled | Web servers 


DatabaseServer Enabled | Database Server 


Browser Authorization Rul... Enabled | Engineering BU 


Create New Rule 
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If the software doesn't have any update, you'll see only one radio button - "Entire 
Product" and it is auto-selected. 


Select Authorization from the drop down list, choose existing rule or create new rule in 
which the selected software will be added. 


Navigate to the following URL to view the “Software Authorization from Software 
Tab” tutorial: 


https://ior.ad/7OGZ 


Rule Conflicts 


Make sure you have not selected the same specific software (with version and/or 
update) in different categories. 


Select Software 


Select the software to be included in the rule 


Add Authorized Software 


0 Software selected 


PRODUCT PUBLISHER CATEGORY CRITERIA VERSIONS/UPDATES 


MySQL Server Oracle Databases / RDBMS Below - Version Modify 7.6 


Add Unauthorized Software 


0 Software selected 


PRODUCT PUBLISHER CATEGORY CRITERIA VERSIONS/UPDATES 


MySQL Server Oracle Databases / RDBMS Specific - Version Modify 5.7 


The criteria in Authorized and Unauthorized bucket is conflicting for 
MySQL Server. Request you to update the criteria. 


If you select the same specific software in two different categories, it will show an error 
message while creating a rule. For example, if you select ‘MySQL’ product with 'Specific 
- Version = 5.7' criteria in the 'Unauthorized' category and ‘MySQL’ product with 'Below 
- Version = 7.6' criteria in the ‘Authorized’ category for the same rule, the “MySQL 5.7” 
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will be considered in both the categories, which is conflicting. Doing so will result in an 
error when saving the rule as illustrated above. 


Select Software 


Select the software to be included in the rule 


Add Authorized Software 


0 Software selected 


PRODUCT PUBLISHER CATEGORY CRITERIA VERSIONS/UPDATES 


MySQL Server Oracle Databases / RDBMS Above - Version Modify 6.0 


Add Unauthorized Software 


0 Software selected 


PRODUCT PUBLISHER CATEGORY CRITERIA VERSIONS/UPDATES 


MySQL Server Oracle Databases / RDBMS Below - Update Modify 5.6.14 


Selecting Update and Version criteria in different buckets for the 
same product is prohibited.Select either Update or Version in only x 
one category for [MySQL Server] 


Also selecting Version and Update criteria in different categories for the same product is 
prohibited. For example, you are not allowed to select ‘MySQL’ product with Version" 
criteria in the ‘Authorized’ category and “MySQL” product with Update criteria in the 
‘Unauthorized' category for the same rule. Doing so will result in an error when saving 
the rule as illustrated above. 
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Visualize Data Using Dashboards 


Having collected all of the asset inventory data, we need a way to view and understand 
it. Getting a summary of your inventory from multiple perspectives is critical when 
organizing your IT and Security programs. 


There are multiple ways to get data with Qualys — queries, widgets and dashboards, 
reports templates and APIs. 


Dashboards Qualys Users 

On-demand QQL Queries Qualys Users NO CSV 

Report Templates Qualys Users NO CSV 

APIs (bulk data export) Qualys Users NO CSV, JSON 

Third Party Integration Non-Qualys Users NO Varies depending 
(ServiceNow, etc.) on third party 


application 


Queries are the fastest way to get data and are best-suited when you’re looking for 
quick answers, typically to one-time questions. Examples include — how many of my 
assets have not been scanned in the past 30 days, how many hosts with a specific 
operating system or software exist, etc. 


Widgets and dashboards allow for visual representation of data and are built using 
queries. They are suitable for data that needs to be constantly monitored. Examples 
include — assets with EOL/EOS software, assets with unauthorized software, assets with 
open-source database instances, distribution of operating systems, etc. 


This includes count, bar, table, and pie graph widgets. 
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Qualys provides ready to use templates for dashboards and widgets that you could 
quickly add to your list of dashboards and start monitoring your assets. 


< Add Widget to Dashboard (CSAM) 


All Widgets (18) Default Widgets (13) ` User-defined Widgets (1) 


TEMPLATES 


Certificate View ASSET CATEGORIES 


Container Security Chart shows top asset categories 


CloudView Add To dashboard 


File Integrity Monitoring 
EDR 

CSAM 

Policy Compliance 


Patch Management 
XDR ASSET DISTRIBUTION BY GEOLOCATION 


Chart shows distribution of assets by Geolocation 
Threat Protection 


Vulnerability Management 12 [_ customize widget] 


New templates are regularly published to the template library in your Qualys account. 


Amongst the templates, choose the one that suits your need of data population for your 
assets and create a dashboard. 


You could add more widgets to dashboard, edit existing widgets, change the layout of 
widgets and many more things in your dashboard. 


Set as Default Dashboard 
Edit Dashboard 
Edit Dashboard Layout 


Create New Dashboard 


Create Template from this Dashboard 


Delete Dashboard 


Add Widget Show Dashboard Description 


Print Dashboard 


Export this Dashboard 
Import New Dashboard 


For a detailed discussion on building custom dashboards and widgets, please see the 
“Reporting Strategies and Best Practices Self-Paced Training Course” 
(qualys.com/learning). 
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© Qualys. cloud Platform 


CyberSecurity Asset Management v HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 


QLYS-CSAM-Demo: Database Servers v 


WW Last30Days v © 


ASSET CATEGORY DB SERVERS BY GEOLOCATION OS CATEGORY 


HARDWARE CATEGORY 2 
Virtual Machine Global 


coma) 260 


Server Assets with Location 


United States (199) 
Unidentified United States 


Cloud Instance India 


The main focus of most attacks targeting different organizations, is client data. So asa 
security professional you are focused on security of that data. Databases are the 
primary location of company data so you really want to understand your database 
landscape and identify any potential security concerns. So you can have a dashboard 
focused on database servers. 


This dashboard illustrated above is one of many that we have and is highly configurable 
to show the view you need to accomplish your job. 


It immediately shows us a summary of key data: 

e Total assets with database instances 

e Internet facing database servers 

e Unmanaged database server assets 

e High criticality database server assets 

e Etc. 
Along with grouping by category, geolocation, publishers as well as associated business 
apps. 


The key point here is that this one dashboard gives you a comprehensive at-a-glance 
view of your database landscape, highlighting areas of concern. 


Let’s consider the ‘Unmanaged Assets with database’ widget for instance. We know 
about the number of ransomware attacks happening and one thing that security teams 
are worried about is identifying databases they don’t know about and therefore are 
vulnerable to attack. 
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< Asset Details: 192.168.1.184 


v INVENTORY Q 


Asset Summary 


Network Information 


TRAFFIC VOLUME Q 
Open Ports 


Traffic Summary 


v SECURITY 


‘Secure Access Control 


Y SENSORS P 
Traffic Details 
Passive Sensor From: Jul 20, 2021 (00:14) 


To: Jul 23, 2021 (11:46) 


Traffic by Family 


FAMILY APPISERVICE CLIENT/SERVER INGRESS EGRESS TOTAL 
apprann Toy eros orons AIT gH Dene Se 
ai Dynamic Dynamic Server 1083KB 0B 10.83 KB 

IBM Systems Net.. NetBIOS Session Service Server 163.45KB 7064KB 234.09 KB 
IBM Systems Net.. NetBIOS Server 40.22KB 95.39KB 135.61 KB 

E Application Pr. 6 MB Internet Directory... Microsoft-DS Server 170.16KB 321.75KB 491.91 KB 

BR WebServices 4MB Network Manage.. EPMAP (End Point Mapper) Server 111.38KB 50.53KB 161.91 KB 

@ Internet Direc.. 492 KB 

8 IBM Systems. 370KB Networking icmp Server 86.63KB 86.63KB 173.25KB 

s dette E RDBMS MSSOL Server 748KB 0B 748KB 
Reserved udp Server 10.83KB 0B 10.83 KB 


Going into the “unmanaged” asset details, you can see the incoming and outgoing traffic 
and we can track it by app/service. This information comes from our Passive Sensor and 
the way were able to determine if a database is installed is by checking the network 
traffic on assets. 


Another snapshot view is Internet Facing assets. As security teams consider database 
server risk, visibility on the internet is one key aspect that can drive attacks. Database 
servers should be carefully reviewed to verify if they should have this kind of exposure. 


The Asset Criticality measure allows the team to track the importance to the business of 
assets. This can be overlayed along with other in-context data to better find assets that 
need to be addressed quickly. 

So as a security admin, all of this information lets you quickly and easily focus on high 
risk database instances so that you can address them quickly by updating or removing 


them. 


Navigate to the following URL to view the “Visualize Data Using Dashboards” tutorial: 


https://ior.ad/7Pud 


48 


Reports 


Mandates like FedRAMP and PCI require you to track all assets and software, as well as 
continuously monitor their security gaps. With CSAM you can easily generate reports so 
you can demonstrate compliance. Reporting includes configurable out-of-the-box 
templates, for example to address FedRAMP requirements. You can also generate 
reports to provide information about your environment to internal or external 
stakeholders using our reporting function. 


© Qualys Cloud Platform 


CyberSecurity Asset Management TRIAL HOME DASHBOARD INVENTORY TAGS RULES RESPONSES REPORTS 


Reports 


Create Report v Create Interactive Report 


P) REPORT NAME Asset Details CREATED BY CREATED ON TEMPLATE 
Software Details 
Total Reports Fecha report trann3fq27 eSemembel 2021 FedRAMP Template 
a Compliance Report > si 
Asset report trann3fq27 3 September, 2021 Asset Details 
test 04:26 PM 


Asset Details Report 


This report shows asset inventory data for selected assets based on host information 
(attributes). 


< Create New: Asset Details 


STEPS 3/4 
Report Display 

Basic Details Select the columns you want to show in your report 

Report Source 

Report Display A Host Information Select All 

4 Summary 

Asset ID Sources Hardware Category! 
Asset Host ID Last Logged On User Hardware Category2 
Asset Name Bios Serial Number Hardware Manufacturer 
Asset Type Bios Asset Tag Hardware Product 
MAC Address Is Container Host Hardware Model 
IP Address OS Category 1 Hardware Product URL 


Asset Time Zone OS Category 2 Hardware Product Family 


Hardware OS Product Name Hardware Lifecycle Intro 
ate 


Operating System OS Publisher 
Hardware Lifecycle GA 
ate 


NetBIOS Name OS Edition 
DNS Hostname OS MarketVersion Hardware Lifecycle EOS 


ene Sunes me Hardware Lifecycle 
Asset Created Date OS Product Family Obsolete, Date 


Life d 
Asset Last Updated Date OS GA Date Hardivare'Lifecyele Stage 


Hardware Lif 
Last VM Scan Date OS EOL Date ER 
Last Compliance Scan OS EOS Date Inventory Date 
Date 


OS Lifecycle Confidence Location 
Bios Description 


Last Boot Date 


OS Lifecycle EOL Support Location City 
Stage 
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You can select the asset scope for the report using asset name, asset tags or using 
queries. 


Once you create report, it shows 'Accepted' status. Once report execution is finished, it 
will shows status as 'Completed' and you'll be able to download the report. 


REPORT NAME CREATED BY 


CREATED ON TEMPLATE STATUS 


Asset Details Report trann3fq27 6 October, 2021 Asset Details Completed 


10:04 AM 


The attributes selected in the report will be column headers in the CSV report. 


|[Asset D. [Asset Host I Asset Name NetBIOS Nar DNS Hostnai Asset Type MAC Address Ip Address Asset Time ZAsset Agentid_ Asset Created Asset Last U 
153450468 146148757 trn-win2012-dc.t TRN-WIN20i trn-win2012- HOST OO :R2:C5: /64.41.200.249 07 Sep 2021 0:07 Sep 202 
153468805 146148750 trn-win10-pro.trr TRN-WIN10- trn-win10-pr HOST 07 Sep 2021 0:07 Sep 202 
138428500 137932989 WIN2012R2-SVR WIN2012R2- WIN2012R2- HOST -4277: 30 Jun 2021 04 23 Sep 202: 

153071679 145888890 demo13.s02.sjcO01.qualys.com demo13.s02. HOST 05 Sep 2021 0.03 Oct 2021 

91981880 112873109 demo15.s02.sjcO1.qualys.com demo15.s02. HOST 13 Nov 2020 0 03 Oct 2021) 
153429147 146148748 trn-win7.trn.qual TRN-WIN7 trn-win7.trn. HOST 07 Sep 2021 0:07 Sep 202 


08:00:27:45:1 ` Selected attributes are 


listed in column headers 


Software Details Report 


This report shows detailed report of the selected assets based on software and host 
information (attributes). 


Report Display 


Select the columns you want to show in your report 


A 


A Software Information Select All 


Software Name 
Software Type 
Software Product 
Software Version 
Software Update 
Software Publisher 


Software Authorization 
Status 


Software Product Family 
Software Category 1 
Software Category 2 
Software Component 


Software Edition 


Host Information 


Asset ID 
Asset Host ID 
Asset Name 


Asset Type 


Software Market Version 
Software Architecture 
Software Package Name 


Software Support Stage 
Description 


Software Lifecycle GA Date 


Software Lifecycle EOL 
Date 


Software Lifecycle EOS 
Date 


Software Lifecycle Stage 


Software Lifecycle 
Confidence 


Software Lifecycle EOL 
Support Stage 


Sources 
Last Logged On User 
Bios Serial Number 


Bios Asset Tag 


Software Lifecycle EOS 
Support Stage 


Software Lifecycle Support 
Stage 


Software License Category 


Software License 
Subcategory 


Software Instance Count 
Software Product URL 


Software Formerly Known 
As 


Is Software Package 


Is Software Package 
Component 


Select All 


Hardware Category1 
Hardware Category2 
Hardware Manufacturer 


Hardware Product 


Compliance Report 


This report shows detailed report of the assets for FedRAMP compliance based on 
software and host information (attributes). 


Software Information 


Software/ Database 
Vendor 


Software/ Database Name 
& Version 


Patch Level 


Function 


Host Information 


Qualys Unique identifier 
UNIQUE ASSET IDENTIFIER 
IPv4 or IPv6é Address 
Virtual 
Public 
DNS Name or URL 

NetBIOS Name 
MAC Address 
Authenticated Scan 


Baseline Configuration 
Name 


OS Name and Version 


Comments 
Software Lifecycle GA Date 


Software Lifecycle EOL 
Date 


Software Lifecycle EOS 
Date 


Location 

Asset Type 

Hardware Make/Model 
In Latest Scan 

Bios Asset Tag 

Bios Serial Number 
VLAN/Network ID 


System Administrator/ 
Owner 


Application Administrator/ 
Owner 


OS Lifecycle GA Date 


OS Lifecycle EOL Date 


Select All 


Software Lifecycle Stage 


Software Lifecycle 
Confidence 


Software Lifecycle EOL 
Support Stage 


Software Lifecycle EOS 
Support Stage 


Select All 


OS Lifecycle EOS Date 
OS Lifecycle Stage 
OS Lifecycle Confidence 


OS Lifecycle EOL Support 
Stage 


OS Lifecycle EOS Support 
Stage 


HW Lifecycle GA Date 
HW Lifecycle Intro Date 
HW Lifecycle EOS Date 


HW Lifecycle Obsolete 
Date 


HW Lifecycle Stage 


HW Lifecycle Confidence 


This report that satisfies your auditors without you having to manually extract and 
aggregate the data or push the data to a 3rd party and do manual scripting. This makes 
your job much simpler and quicker. 


Navigate to the following URL to view the “Asset Details, Software Details and 
Compliance Reports” tutorial: 


https://ior.ad/7MPO 
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Interactive Report 


This report provides an interactive workflow and focuses on asset health issues instead 
of just inventory data. By correlating security gaps with asset context and business 
context, the Interactive Report will help you to “zero in” on the most critical asset health 
issues so that you can address them quickly. 


© Qualys. cloud Platform 


CyberSecurity Asset Management HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 


Reports 


Create Report v | Create Interactive Report 


After selecting one or more asset tags as your targeted assets, you are provided a 
summary of all assets that are in scope and the area of concern. 


< Interactive Report SE 


[internet Facing... e; x [Sever] x [cloud agent x || Sensitive.data x |ascpoemo x [OJ 1-BU-NETRDLABs.|..| x [Database Server | x [[WebServer x 


Pom TOTAL INTERNET BM ASSETS WITH 
2 ASSETS 5.33K e Ps 119 EI security GAPS 0 13 


Total Assets in Scope 
P Assets with one or 


Assets exposed to the more security gaps Breakdown by 
Internet security gap 


Internet Facing Assets 

Hosts with public interfaces are at greater risk because of their exposure to the Internet, 
especially with vulnerabilities that can be exploited without authentication. The risk 
becomes even more significant if the same host has unauthorized and EOL/EOS 
software. So, you need to have visibility into assets with such an exposure. 


From here, you can pivot further on assets of interest by applying various filters. The 
filter options are provided in three categories: 


Business Context 

It’s important to consider the business impact of an asset when prioritizing assets for 
security gap analysis. Here, you can select Asset Criticality, Department and Asset 
Support Groups as filters. 
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Business Context 
ASSET CRITICALITY ——$S]S 9 —_—_| > 


o——_0 


Most Critical Least Critical 


With the slider set to the position illustrated above, only assets with Criticality score of 4 
and 5 will be considered for the report. 


DEPARTMENT 


IT Operations DevOps Corp IT Customer Support 


ASSET SUPPORT GROUP 
DevOps Group IT Operations Corp IT 


Development Group 


Department and Asset Support Group filters are based on business information derived 
from CMDB sync and provide additional means to refine your asset scope. 


Asset Categories 

You can also use Level 1, hardware (server, desktop, mobile device, network device, 
etc.) and OS (Windows, Linux, Mac, etc.) category filters which gives the user an idea 
about the primary function of the product, to pivot on specific asset categories. The 
categories listed in the report are based on the assets that are mapped to the selected 
asset tags. 


Asset Categories 

HARDWARE * 
Cloud Instance (2.47K) Unidentified (2.24K) Server (445) Virtual Machine (135) 
Switch (9) Bridges and Routers (8) Unknown (7) Firewall Device (6) 
Server Load Balancer (4) Desktop (2) Network Attached Storage (NAS) Device (1) 


Terminal Server (1) 


0S * 


Linux (3.01k) Unidentified (1.22K) Windows (957) Unix (42) Firmware (38) 


Network Operating System (36) Virtualization (23) Mac (2) Filesystem Software (1) 


Unknown (1) 


Security Gap 
And lastly, you can filter assets based on the security gap area such as EOL/OBS 
hardware, EOL/EOS software or OS and unauthorized software. 
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Security Gap © 


Unauthorized Software 


EOS/EOL Software 


OBS/EOS Hardware 


EOS/EOL OS 


Once your filter options have been selected, click the “Generate Report” button. 


Generate Report 


The displayed assets and software will reflect the priority options you specify. 


(Assets (13) | Software (110) 


Unauthorized EOS Software É EOL Software OBS Hardware EOS Hardware EOS 0S EOL > 
Software 


Q 


1-13 of 13 


SOFTWARE ISSUES 
ASSET ASSET CRITICALITY SYSTEM INFO OWNER LOCATION EOL/EOS UNAUTHORIZED 


10.11.71.33 Ser NR GE John Doe aen 
er vel 
jones ted Hat Enterprise Linux Server berdie , 


Administrators-Mac-mini.local Apple macOS Sierra (10.12.6) Joey Bolick 


CA, USA 
10.113.198.215 Apple Mac mini Mac mini (Late 2014) IT Operations 


Amy-pod1-quays-ia79-centos-azure Joey Bolick 


CA, USA 
10.95.0.151 J icroso e Standard_81s IT Operations 


At the top, you can see a summary of count of assets or software instances (depending 
on whether you are in the Assets or the Software section of the result) with a security 
gap. Clicking on these cards/numbers filters assets/software as per the identified 
security gap. 


Navigate to the following URL to view the “Interactive Report” tutorial: 


https://ior.ad/7OWM 
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Rule-Based Alerts 


Rule-based alerts provide ongoing detection, automatically triggering alerts for critical 
events based on real-time activity. This eliminates the need to manually search the 
same event or security gaps over and over by leveraging time-saving automation. 


In CSAM, you can configure rules to monitor critical events and define actions to send 
you alert messages if events/incidents matching the condition are detected. 


You can set rules and create actions under the 'RESPONSES' tab. 
On the RESPONSES tab: 
1. Define Actions > Configure rule actions to specify one or more actions to be 


performed when events matching a condition are detected. You can set alerts to be 
sent by Email, PagerDuty, or Post to Slack. 


(@) Qualys stform 


CyberSecurity Asset Management HOME DASHBOARD INVENTORY TAGS NETWORK RULES RESPONSES REPORTS 


Responses Activity Rule Manager | actions | 


ACTION NAME - ACTIVE RULES 


Alert Sec Ops Email: Trickbot Detection 1 
Alert on any Trickbot detections 


2. Set up your rules in the Rule Manager tab > Here you create a rule with a specific 
criteria and then determine a course of action for any instance that meet that the 
criteria. 


Let’s say your goal here is to track all databases that are going to be EOS in 6 
months. You want some time to react and address the issue before they actually go 
EOS. 


The QQL query to configure for this rule is: 
software: (categoryl: Databases* and component: “Server 
and lifecycle.eos: [now+179d ... now+180d]) 


Using this type of alert, your security teams can always stay on top of EOL/EOS 
software in your environment. 
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Rule Name * 


Rule to Alert for EOS Database 


Description * 


Email alert for upcoming Database EOS event. 


Rule Query 
Provide a query to match particular source that will trigger the alert 


Rule Query * 


X software: (category1:‘Databases* and component: "Server" 


Sample Queries 


Action Settings 
Choose an appropriate alert action 


Actions * 


and lifecycle.eos:[now+179d ... 


now+18@d]) 


Email Alert for EOS Database 


Email Alert for EOS Database 


Recipient * 


dbowner@qualys.com 


Currently CSAM only supports the single match that is one alert for one match. 


Asset Tokens 


CSAM also supports use of tokens within the message body which work as placeholders 
or variables for data values that populate when the search completes. You can include a 
variety of search tokens pertaining to asset search, cloud metadata search and 

others. All 3 action types (Email, Slack, PagerDuty) support the use of tokens. 
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asset.created 
asset.lastloggedOnUser 
asset.lastUpdated 
asset.name 
asset.netbiosName 
asset.trackingMethod 
asset.lastLocation 
asset.criticalityScore 
asset.assetID 


hardware 


hardware.category 


hardware.category1 
hardware.category2 
hardware.lifecycle.eos 
hardware.lifecycle.obs 
hardware. lifecycle.stage 
hardware.manufacturer 
hardware.model 
hardware.product 
interfaces.address 
interfaces.gatewayAddress 
inventory.created 
inventory.lastUpdated 


inventory.source 


When a condition matching the rule is detected, the alert that is generated will include 


openPorts.firstFound 
openPorts.lastUpdated 
openPorts.port 
operatingSystem 
operatingSystem.architecture 
operatingSystem.category 
operatingSystem.category1 
operatingSystem.category2 
operatingSystem.edition 
operatingSystem.installDate 
operatingSystem.lifecycle.eol 
operatingSystem.lifecycle.eos 
operatingSystem.lifecycle.stage 
operatingSystem.marketVersion 
operatingSystem.name 
operatingSystem.publisher 
operatingSystem.update 
operatingSystem.version 
software.architecture 
software.category 
software.category1 
software.category2 
software.edition 


software.installDate 


software.lastUpdated 
software.lastUseDate 
software.license.category 
software.lifecycle.eol 
software.lifecycle.eos 
software.lifecycle.stage 
software.marketVersion 
software.name 
software.product 
software.authorization 
software.publisher 
software.update 
software.version 
software.component 
software.firstFound 
tags.name 
volumes.free 
aws.ec2.availabilityZone 
aws.ec2.imageld 
aws.ec2.instanceState 
aws.ec2.instanceld 
aws.ec2.accountld 
aws.ec2.instanceType 


aws.ec2.launchDate 


aws.ec2.privatelpAddress 
aws.ec2.publiclpAddress 
aws.ec2.region.code 
aws.ec2.subnetld 
aws.ec2.vpcld 
azure.vm.location 
azure.vm.name 
azure.vm.privatelpAddress 
azure.vm.publiclpAddress 
azure.vm.resourceGroupName 
azure.vm.size 

azure.vm,state 
azure.vm.subnet 
azure.vm.subscriptionld 
azure.vm.vmid 
gcp.compute.hostname 
gcp.compute.machineType 
gcp.compute.network 
gcp.compute.privatelpAddress 
gcp.compute.projectld 
gcp.compute.projectNumber 
gcp.compute.publiclpAddress 
gcp.compute.state 


gcp.compute.zone 


the asset name, asset criticality score, hardware category, OS of the asset, etc. 
depending on the tokens inserted in the message body. 


When a rule is triggered based on trigger criteria, CSAM will send to your configured 
account alerts that will have details of the events. 


& ` D Unread YY Starred DI Contact D Tags 0 Attachment 


t k ee d Subject 


) Filter these messages <Ctrl+Shift+K> 


Correspondents 


ITAM Alert MApper regression 


noreply@qualys.com <noreply@qualys.com> 


Date 
3:25 AM 


= ITAM Alert MApper regression 
= ITAM Alert MApper regression 
` ITAM Alert MApper regression 


= ITAM Alert MApper regression 


` AWS Asset [Cloud Instance only] 
` AWS Asset [Cloud Instance only] 
D = ITAM Alert Männer rearession 


From noreply@qualys.com <noreply@qualys.com> Ú 


Subject ITAM Alert MApper regression 
To Mew 


Alert for Asset create and updated 


asset.assetID : 
asset.created 
asset. lastUpdated: 


8779050 


1622122157000 


1626126913997 


noreply@qualys.com <noreply@qualys.com> 
noreply@qualys.com <noreply@qualys.com> 
noreply@qualys.com <noreply@qualys.com> 
noreply@qualys.com <noreply@qualys.com> 
noreply@qualys.com <noreply@qualys.com> 
noreply@qualys.com <noreply@qualys.com> 


noreplv@aualvs.com <noreplv@aualvs.com> 


3:25 AM 
3:25 AM 
3:25 AM 
3:25 AM 
3:17 AM 
3:17 AM 
2:56 AM 


© Reply -+ Forward & Archive ® Junk 
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The illustration above is for an email type alert action. 


3. Monitor all the alerts in Activity Tab -> Monitor alerts that were sent after the rules 
were triggered. Users can monitor all the action events in this tab. 


© Qualys. cloud Platform 


CyberSecurity Asset Management ~ HOME DASHBOARD INVENTORY TAGS RULES RESPONSES REPORTS CR" 


Responses | Activity | Biswas een 
Last 20 Days v 
9.02K 


Total Activities | | Sal 
e re ET Senn BE len es ee = Sp Weed | 


14Jun 16 Jun 18 Jun 20 Jun 22 Jun 24 Jun 26 Jun 28 Jun 30 Jun ZA AM SA 8 Jul 10Jul 12Jul 


RULE NAME 1-50 of 9022 


1 


Azure Assets 2.66K 

AWS asset info 1.83K RULE NAME STATUS v ACTION MATCHES CREATED BY 
al m Operating System Mapper Regreesion Success Shashi 1 vi d 
Software Details .. 306 Ens 


te 
Tag-Based Rule 290 22 minutes ago 


45more ¥ OpenPort Last Updated Date Success OpenPort Email Notification 1 vi H 


OpenPort Last Updated Date 
ACTION NAME 


Shashi 2.17K Operating System Mapper Regreesion Success Email_shashi 1 Vi } 
Azure_Asset 1.99K mapper 


22 minutes ago 


Navigate to the following URL to view the “Rule-Based Alerts” tutorial: 


https://ior.ad/7MPN 
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CSAM Certification Exam 


Participants in this training course have the option to take the CSAM 
Certification Exam. This exam is provided through our Learning Management 
System (qualys.com/learning). 


To take the exam, candidates will need a “learner” account. 


Q, Qualys. Training & Certification 


qualys.com/learning 


Please log in to the Qualys training site. First time users 
need to create an account. 


*Required Field 


* Username: 


* Password: 


Forgot your password? Request a new account. Gas 


If you would like to take the exam, but do not already have a “learner” account, click the 
“Request a new account” link, from the “Qualys Training & Certification” login page 
(qualys.com/learning). 


Once you have created a “learner” account (and for those who already have an 


account), click the following link to access the “CyberSecurity Asset Management 
- QSC 2021” course page: 


https://gm1.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?&id=22511237813 
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From the “CyberSecurity Asset Management - OSC 2021” course page, click the “Enroll” 


button (lower-right corner). 


© Qualys. Training & Certification 


MyHome Learner Information 
Course Catalog: Class Details 
Course: CyberSecurity Asset Management - QSC 2021 


To see how a class below fits into your schedule, click View My Class Schedule. 
CLASS DETAILS: CSAM - QSC 2021 


Course Name: CyberSecurity Asset Management - QSC 2021 


Class Name: CSAM - QSC 2021 
Class Code: 2250729076520210917123001 
Contact Name: Vibhu Gupta 
Private Class: Yes 
Maximum Class 5000 
Capacity: 
Class Cost: $0.00 
Session Name a Location Classroom Address 1 Address2 City 
Session 1 N/A N/A N/A N/A N/A 


Back to Class List 


State 


N/A 


Postal Code 


N/A 


Times 


Monday, November 15, 2021 9:00 AM to 1:00 PM (America/Los_Angeles) (UTC -07:00) 


Instructor(s) 


Vibhu Gupta 


View My Class Schedule 


After successfully completing the course enrollment, click the “Launch” button, for 


the Qualys CSAM certification Exam. 


CyberSecurity Asset Management - QSC 2021 


Progress: Completed Status: Enrolled Required: No Duration: 4 hours 


= Activities 


Class Sessions 


Class Name Date 
CSAM - QSC 2021 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name a 


QSC 2021 CyberSecurity Asset Management Lab Supplement 
QSC 2021 CyberSecurity Asset Management Slides 


Epaf 


Qualys CyberSecurity Asset Management Exam Actual Test 


Monday, November 15, 2021 9:00 AM to 1:00 PM (America/Los_Angeles) (UTC -07:00) 


Progress 


N/A 
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Location 


N/A 


Last Accessed Time Taken 


N/A N/A 


10/14/2021 4:24:11 PM 


@ 


Close Record 
Print Certificate 


Classroom Instructor(s) 


N/A Vibhu Gupta 


Attempts 


D 


Each candidate is provided five attempts to pass the exam. 


@ 


CyberSecurity Asset Management - QSC 2021 


Progress: Completed Status: Enrolled Required: No Duration: 4 hours 


— [ Print engen: ] Certificate 
= Activities 


Class Sessions 


Class Name Date Location Classroom Instructor(s) 


CSAM - QSC 2021 Monday, November 15, 2021 9:00 AM to 1:00 PM (America/Los_Angeles) (UTC -07:00) N/A N/A Vibhu Gupta 


To access a learning activity, select the activity name and click Launch or Open. 


With a passing score of 75% (or greater), click the “Print Certificate” button to 
download and print your course exam certificate. 
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